Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Tools. Show all posts

Understanding Internet Identity: Exploring its Functionality and Operation

 

Passwords have long been a hassle for daily online logins, even with the help of password managers. However, the DFINITY Foundation's Web3 experts are developing a promising alternative called Internet Identity (II), which has the potential to transform online security. 

Internet Identity is a Web3 service that enables users to create a secure "anchor" for their devices, allowing them to log in to compatible services without using passwords. Instead, it utilizes a chip embedded in modern devices to generate disposable passkeys protected by Chain Key cryptography.

The concept behind Internet Identity is to provide a fast and secure way to authenticate oneself when accessing services. It aligns with other Web3 concepts, such as the ability to create multiple online identities, which explains its name. In addition to enhancing security, Internet Identity also offers benefits like hiding one's digital footprint and protecting against identity theft. All of this is made possible through the DFINITY Internet Computer blockchain project.

To understand how Internet Identity works, users create an anchor identity embedded in the Internet Computer blockchain and associate their devices with it. These devices utilize a specialized TPM chip to generate hidden passkeys for signing in to Web3 services and decentralized applications (dapps).

The passkeys are enabled through biometric authentication or a similar secure process, eliminating the need for passwords. A handshake protocol combines a public key and private key, enabling automatic sign-in to compatible services.

This approach offers several advantages for online identity protection. Firstly, there are no passwords to be hacked, and the TPM passkeys remain entirely private, inaccessible to anyone else during the sign-in process. This significantly enhances data security. Additionally, since a new session is created for every login, it becomes more challenging for external entities to track user activities.

While Internet Identity is based on Web3 and blockchain technologies, it differs from many blockchain-related endeavors that often raise concerns. 

Using Internet Identity does not require owning a blockchain token or incurring any costs. Developers cover the blockchain computations, ensuring the focus remains on privacy rather than financial motivations.

Internet Identity exclusively functions with services supported by the Internet Computer Protocol, primarily Web3 dapps. DFINITY and others anticipate that blockchain authentication methods like Internet Identity will become the norm, and they aim for broad support of their protocol. 

However, this is still uncertain, and currently, many mainstream services, including popular social media platforms, may not support Internet Computer technology unless users are deeply involved in the blockchain tech community.

To utilize Internet Identity, users need standard biometric login features available on everyday devices, such as fingerprint readers and facial identification. For those desiring additional security measures, Internet Identity also supports real-world passkey technologies like YubiKey.

Internet Identity is entirely free and open-source, emphasizing privacy and transparency for user data.

Comparing Internet Identity to passwords, it offers greater convenience when using dapps and ensures robust security. It also reduces the profiling potential of big tech and social media companies like Google. 

Internet Identity allows users to create multiple social identities for enhanced privacy, and personal information is not required. However, it's crucial to properly manage recovery options in case of any issues.

While Internet Identity prevents tracking, it leaves a trail within the blockchain, accessible only by the user via their seed phrase. This trail exists independently of physical devices.

To get started with Internet Identity, users can visit the official website and follow the step-by-step instructions provided by their preferred search engine. The process involves authenticating oneself, choosing a recovery method (such as a seed phrase or security key), and adding specific devices, such as an Android phone, to the anchor to ensure proper functionality. For more technical details, users can explore the code on GitHub or seek guidance from the Internet Identity community.

In conclusion, Internet Identity is a worthwhile solution for those using Web3 services or interested in privacy-friendly dapps. While its future, like that of all Web3 technologies, remains uncertain, it serves as a solid foundation for authentication software. 

The best part is that it's entirely free and doesn't involve questionable blockchain investment schemes. This aligns with the preferred Web3 approach, although Internet Identity still needs to demonstrate that it is a significant step forward for the decentralized internet.

3 Key Reasons SaaS Security is Essential for Secure AI Adoption

 

The adoption of AI tools is revolutionizing organizational operations, providing numerous advantages such as increased productivity and better decision-making. OpenAI's ChatGPT, along with other generative AI tools like DALL·E and Bard, has gained significant popularity, attracting approximately 100 million users worldwide. The generative AI market is projected to surpass $22 billion by 2025, highlighting the growing reliance on AI technologies.

However, as AI adoption accelerates, security professionals in organizations have valid concerns regarding the usage and permissions of AI applications within their infrastructure. They raise important questions about the identity of users and their purposes, access to company data, shared information, and compliance implications.

Understanding the usage and access of AI applications is crucial for several reasons. Firstly, it helps assess potential risks and enables organizations to protect against threats effectively. Without knowing which applications are in use, security teams cannot evaluate and address potential vulnerabilities. Each AI tool represents a potential attack surface that needs to be considered, as malicious actors can exploit AI applications for lateral movement within the organization. Basic application discovery is an essential step towards securing AI usage and can be facilitated using free SSPM tools.

Additionally, knowing which AI applications are legitimate helps prevent the inadvertent use of fake or malicious applications. Threat actors often create counterfeit versions of popular AI tools to deceive employees and gain unauthorized access to sensitive data. Educating employees about legitimate AI applications minimizes the risks associated with these fraudulent imitations.

Secondly, identifying the permissions granted to AI applications allows organizations to implement robust security measures. Different AI tools may have varying security requirements and risks. By understanding the permissions granted and assessing associated risks, security professionals can tailor security protocols accordingly. This ensures the protection of sensitive data and prevents excessive permissions.

Lastly, understanding AI application usage helps organizations effectively manage their SaaS ecosystem. It provides insights into employee behavior, identifies potential security gaps, and enables proactive measures to mitigate risks. Monitoring for unusual AI onboarding, inconsistent usage, and revoking access to unauthorized AI applications are security steps that can be taken using available tools. Effective management of the SaaS ecosystem also ensures compliance with data privacy regulations and the adequate protection of shared data.

In conclusion, while AI applications offer significant benefits, they also introduce security challenges that must be addressed. Security professionals should leverage existing SaaS discovery capabilities and SaaS Security Posture Management (SSPM) solutions to answer fundamental questions about AI usage, users, and permissions. By utilizing these tools, organizations can save valuable time and ensure secure AI implementation.

Microsoft & Fortra Seeks Court Order to Remove a Ransomware Hacking Tool Targeted Hospitals

 

A number of cybersecurity businesses, including Microsoft, launched a full-scale legal crackdown on one of the primary hacking tools used by malware criminal groups in their operations. Microsoft, Fortra, and the Health Information Sharing and Analysis Center (H-ISAC) announced a broad legal strategy to combat malicious versions of Fortra's Cobalt Strike and Microsoft's software development kits. 

Cobalt Strike is a popular penetration testing program that allows businesses to evaluate their security defenses prior to an assault. Malicious hackers, on the other hand, have used a hacked version of the tool for years to execute devastating ransomware attacks and other issues.

In November 2021, the Department of Health and Human Services issued a warning to healthcare organizations that both state-backed hackers and cybercriminal groups were using the technique in their attacks. The now-defunct Conti ransomware group sought to utilize Cobalt Strike to implant malware on Ireland's publicly funded healthcare system the same year.

On Friday, the United States District Court for the Eastern District of New York granted the organizations a court order authorizing them to confiscate domain names where hostile actors had been storing and disseminating malicious copies of Cobalt Strike.

The court ruling permits Microsoft, Fortra, and the H-ISAC to automatically inform and deactivate IP addresses in the United States that are hosting tainted versions of these tools. These takedowns will begin immediately, and the court order permits for more takedowns when criminals build new infrastructure.

On Thursday, Microsoft will also alert hosting providers in Latin America and the European Union about domain names suspected of hosting infected copies of Cobalt Strike.
Microsoft and Fortra were also granted a temporary restraining order against anyone who violated their programmes' copyright, making it easier for them to confiscate and shut down rogue versions of the software.

It is uncommon for private corporations to use the judicial system on their own to pursue dangerous hackers. While Microsoft has previously used a court order to take down specific groups, today's steps are the company's first at targeting specific tools used by a diverse spectrum of individuals.

"This is something that we jokingly call an advanced persistent disruption; it is not going to be done on Thursday," Amy Hogan-Burney, general manager and associate general counsel for cybersecurity policy and protection at Microsoft, told Axios.

Cybercriminals are frequently adaptable, and they have been quick to rebuild their networks following past law enforcement crackdowns.

After all of the attention devoted to Cobalt Strike, Microsoft has already begun examining tools that they expect bad actors would turn to next, according to Hogan-Burney.

7-year Android Malware Campaign Targeted Uyghurs: Report

 

A long-running surveillance and espionage campaign targeting one of China's largest ethnic minority groups has been revealed by researchers. Palo Alto Networks discovered the "Scarlet Mimic" group in 2016, which was initially spotted targeting Uyghur and Tibetan rights activists. 

Although the Chinese government has long oppressed and spied on these and other minority groups in the country, no direct attribution of this group's activities to Beijing is currently available. Check Point explained in a new report this week that Scarlet Mimic's mobile malware dates back to 2015. 

“The malware is relatively unsophisticated from a technical standpoint. However, its capabilities allow the attackers to easily steal sensitive data from the infected devices, even perform calls or send an SMS and track their location in real-time,” said Check Point.

“This makes it a powerful and dangerous surveillance tool. This tool also allows audio recording of incoming and outgoing calls, as well as surround recording.”

It has since identified 20 variants of the MobileOrder Android spyware, the most recent of which was discovered in mid-August of this year.

“The malware is relatively unsophisticated from a technical standpoint. However, its capabilities allow the attackers to easily steal sensitive data from the infected devices, even perform calls or send an SMS and track their location in real-time,” said Check Point.

“This makes it a powerful and dangerous surveillance tool. This tool also allows audio recording of incoming and outgoing calls, as well as surround recording.”

The malware is thought to be hidden in applications with Uyghur-language titles and disguised as PDF documents, photos, or audio. According to Check Point, it is spread through social engineering rather than being made available on the Google Play Store.

“When the victim opens the decoy content, the malware begins to perform extensive surveillance actions in the background. These include stealing sensitive data such as the device information, SMS messages, the device location, and files stored on the device,” the report continued.

“The malware is also capable of actively executing commands to run a remote shell, take photos, perform calls, manipulate the SMS, call logs and local files, and record the surround sound.”

Check Point advised anyone who might be a victim of this campaign to install anti-malware software on their device, use a VPN, and avoid clicking on suspicious links.

"Scarlet Mimic seems to be a politically motivated group. In the past, there have been reports from other researchers that it could be linked to China,” the vendor concluded.

“If true, it would make these surveillance operations part of a much wider issue, as this minority group has reportedly been on the receiving end of attacks for many years.”

This week, Beijing is on the defensive at the United Nations after a long-awaited report from the UN Human Rights Office confirmed evidence of serious human rights violations against Uyghur and other ethnic minority groups in Xinjiang.

Kronos Ransomware Attack may Affect Weeks of HR Solutions Downtime

 

Kronos, a provider of workforce management tools, has been hit by ransomware, which will likely shut down many of their cloud-based solutions for weeks. Kronos succumbed to a ransomware attack on December 11th, over the weekend. Due to this, Kronos announced that the UKG solutions employing the 'Kronos Private Cloud' are unavailable. 

Kronos is a human resources and workforce management software firm that offers cloud-based solutions for timekeeping, payroll, employee benefits, analytics, and more. Kronos and Ultimate Software merged in 2020 to establish UKG, a new corporation. 

"As we previously communicated, late on Saturday, December 11, 2021, we became aware of unusual activity impacting UKG solutions using Kronos Private Cloud," disclosed Bob Hughes, Executive Vice President for UKG. 

"We took immediate action to investigate and mitigate the issue, and have determined that this is a ransomware incident affecting the Kronos Private Cloud—the portion of our business where UKG Workforce Central, UKG TeleStaff, Healthcare Extensions, and Banking Scheduling Solutions are deployed." 

UKG Pro, UKG Ready, and UKG Dimensions are not affected because they do not use the Kronos Private Cloud. 

"Kronos offers a hosting environment built upon a secure infrastructure, which undergoes examinations from an independent auditor in accordance with the AICPA's SSAE18 (i.e., SOC 1) and the American Institute of Certified Public Accountants' TSP Section 100a, Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy (i.e., SOC 2 and SOC 3)," states the description of the Kronos Private Cloud infrastructure. 

To prevent unauthorized access to their systems, Kronos uses firewalls, multi-factor authentication, and encrypted transmissions, according to Kronos. Unfortunately, as part of the attack, the threat actors were able to infiltrate these systems and presumably encrypted servers. 

Kronos Private Cloud (KPC) is described by UKG as a secure storage and server facility hosted in third-party data centers. Workforce Central, Workforce TeleStaff, TeleTime IP, Enterprise Archive, Extensions for Healthcare (EHC), and the FMSI environments are all hosted on this infrastructure.

Many organizations, including car manufacturers, educational institutions, and local governments, use Kronos' software. Tesla, Temple University, Community Bank, and the San Francisco Municipal Transit Authority are among Kronos' customers. 

Hack 'Sabbath': Evasive New Ransomware Discovered

 

Due to its small size and unique approaches, a small yet strong ransomware group has been executing attacks largely undiscovered. 

According to Mandiant, the operation, named UNC2190 or "Sabbath," began in September and started attacks in October. Since then, the gang claims to have infected several firms and has threatened to reveal the stolen data if their ransom demand is not met. 

As per a Mandiant blog post, the Sabbath ransomware group has attacked and extorted at least one school system in the United States. Sabbath, like other ransomware operations, is thought to depend heavily on the ransomware-as-a-service model, in which the operators engage individual "affiliate" hackers to execute the on-the-ground labour of infiltrating networks and installing the ransomware.

One of the risks posed by the Sabbath ransomware operation is that the group has managed to avoid detection owing to a number of variables. To begin, the organisation has altered its tools, including the including the Cobalt Strike Beacon remote control tool, to avoid detection. The scale of the operation in comparison to other ransomware brands also helped keep the operations under the radar. 

Sabbath, according to Mandiant, has its origins in a prior ransomware attack known as Arcane. Both are believed to be managed by the same UNC2190 group. However, unlike larger, more well-known ransomware groups, UNC2190's transition from Arcane to Sabbath was not quickly noticed. 

While it's not uncommon for huge ransomware gangs to rebrand their activities, Tyler McLellan, a principal analyst at Mandiant and co-author of the blog post, told SearchSecurity that a tiny, relatively unknown team like Arcane doesn't generally alter its brand. 

McLellan explained, "We've seen some of the larger groups like DarkSide and Babuk rebrand when public and government pressure was too great. In the case of the smaller groups like Sabbath, it could be rebranded over much more mundane reasons such as a payment dispute between group members and a rebranding is an attempt to start fresh minus the problem group members." 

Sabbath may have some influence over the ransomware scene, even if it is not as large as DarkSide or Babuk. As per McLellan, some of Sabbath's approaches, notably their use of several customised malware payloads, might be exploited by other ransomware crews attempting to avoid detection by security providers and law authorities. 

"As detection of ransomware intrusions improves at the early pre-ransomware stages, we expect the threat actors will continue to adapt to stay ahead of the detection curve and increase the pace to deploy ransomware faster after an initial intrusion," McLellan added.